Evidence of meeting #118 for Industry, Science and Technology in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was definition.
A recording is available from Parliament.
11:50 a.m.
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
I'm not in a position to interpret the intentions of those involved. However, I can say that two objectives emerged from the conversations I had with people in each sector.
On the one hand, people want the standards to be clarified so that companies are really able to implement them.
On the other hand, the aim is to protect privacy.
11:50 a.m.
Liberal
The Chair Liberal Joël Lightbound
Thank you, Mr. Généreux.
We will continue with Mr. Perkins, followed by Mr. Vis and Mr. Garon.
Mr. Perkins, the floor is yours.
11:50 a.m.
Conservative
Rick Perkins Conservative South Shore—St. Margarets, NS
Thank you, Mr. Chair.
Thank you to the witnesses.
I'll take a step back, Mr. Schaan. What's the purpose of anonymization?
11:50 a.m.
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
As Mr. Chhabra explained, there's a continuum of the privacy-enhancing nature of the state of a piece of information. On one end is anonymization, which essentially renders it incapable of being able to reidentify the individual, and then, on the other end, it would be fully declarable. I don't know what the right term is, but it's essentially understood who the individual is.
The goal is to create a continuum of likely states of information and recognize their existence in a commercial context, which the CPPA will regulate, ensure that appropriate safeguards are placed along each stage of the continuum and then potentially encourage the usage of information in those states with the appropriate safeguards in place at each stage.
11:50 a.m.
Conservative
Rick Perkins Conservative South Shore—St. Margarets, NS
What's the purpose of a company being forced to take it to that final test of making sure it's anonymized? Is it because they're sharing it outside their organization? If it's information you gathered internally through your customer base or whatever, you don't need it anonymized unless you're sharing it in some way.
11:50 a.m.
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
The use cases for anonymized information would vary, but I think there is an understanding that information can potentially be still rendered useful either within the organization or outside of it, because, even within the case of identified information, it needs to be prescribed to the purposes for which it was collected. The law specifically states that people should minimize information only for its most necessary uses.
Even in the case of one's own organization, there would be, potentially, use cases for which anonymized information might still be valuable but wouldn't rise to the level of providing either de-identified or identifiable information to those parts of the organization, because there's not a use case specific to why it would leap to that level. Particularly, in increasingly large and aggregated datasets, they can have value without necessarily needing identifiable information.
11:55 a.m.
Conservative
Rick Perkins Conservative South Shore—St. Margarets, NS
As an example, I'll just draw on my past life as a retail marketer.
I would be a member of a coalition program, one like air miles. We would collect and get access to the data of what our customers would be using air miles for and how it would impact the sales, but we also could get access to data from air miles more generally, like what people of certain profiles are doing, but it wouldn't necessarily be with an individual identifier on it. It would be people in a certain income bracket or geography or whatever who have these other purchasing patterns so I could draw some conclusions.
That's a case where I might be buying or getting anonymized data as a marketer. Is it that kind of thing?
11:55 a.m.
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
Yes. I think the use case would determine whether or not that information was de-identified or anonymized. I think that in many cases where people think they might be dealing with anonymized information, they're actually dealing with de-identified information.
11:55 a.m.
Conservative
Rick Perkins Conservative South Shore—St. Margarets, NS
It all depends on what their terms of use are when they signed up for, in this case, air miles or something else.
11:55 a.m.
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
Well, no, it actually depends on the techniques that have been utilized to strip out any personal identifiers. A de-identified set, like a loyalty program, may still have enough discernible information to actually constitute itself to be de-identifiable. It would not rise to the level of anonymous information; it would actually still be considered to be de-identified.
11:55 a.m.
Conservative
Rick Perkins Conservative South Shore—St. Margarets, NS
That's a great point. We had testimony from organizations, like the Canadian Marketing Association and others, here before the committee that said it's impossible to anonymize and that this definition was too strong. We heard from others, like the Privacy Commissioner and others in the privacy space, who said that it actually is but that it's just not strong enough language.
The idea is to get it to the point where it's impossible to reidentify. However, you said a few moments ago with regard to this point that it's almost impossible. The purpose of the government is not to get it to impossible but to almost impossible.
What do you see as the difference?
11:55 a.m.
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
I think you'll see in G-2 the construct of “reasonably foreseeable”, which is another reason why we believe that “generally acceptable best practices” is an important construct because the continued availability of other sets of information, other techniques and other kinds of computational tools may take what was believed to be anonymized and actually shift it to a world in which it could be. This is why continuous conformity to generally acceptable best practices and a standard of “reasonably foreseeable”—which is “I couldn't have imagined this was possible”—are the two nuances I'm introducing or suggesting are important when thinking about anonymized information.
11:55 a.m.
Conservative
Rick Perkins Conservative South Shore—St. Margarets, NS
In the Privacy Commissioner's submission to us on this issue—MP Masse only read a small part—he goes on to say, in talking about this issue:
As currently drafted, organizations could anonymize personal information using “generally accepted best practices”.
That's the term we're discussing here.
He goes on:
However, there is no explanation of what these practices are or what would be considered “generally accepted.” Including this language opens the door to the possibility that some organizations might rely on anonymization techniques promoted by certain experts or groups that are insufficient for a given dataset.
Liberal members, the government and yourself have used CANON as an example of an organization that would provide guidance. I've met with a number of the members of CANON, which include the big five banks, Rogers, Telus, Loblaws, Sun Life, Microsoft, the CRA, Canada Post, StatsCan and Health Canada. I look at those big corporate entities, and I know that when I met with those big corporate entities, they weren't interested in a narrowcast of a tight definition because it's not in their interests to be able to be restricted in that way. If you remove this section, I think it puts more onus on organizations to focus on what the Privacy Commissioner says and interprets. As we talked about at the last meeting around the best interests of children, the Privacy Commissioner has the responsibility under the provisions of this act to provide guidance to organizations on these areas, does it not?
Noon
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
The Privacy Commissioner has the capacity to issue guidance on matters related to the implementation of the consumer privacy protection act.
Noon
Conservative
Rick Perkins Conservative South Shore—St. Margarets, NS
That's right, and that's what he goes on to say in his submission:
the CPPA includes a number of mechanisms for the [Office of the Privacy Commissioner] to assist organizations in meeting their obligations, including providing guidance on privacy management programs, developing guidance materials, and reviewing and approving codes of practice.
I'm not interested that much in what are generally accepted best practices by industry associations. I'm more interested in the power of the guidance of the Privacy Commissioner. I'm reluctant to support a provision that allows anonymization to be watered down to “almost impossible but maybe possible” because the language is given there to allow outside industry associations to set the standard and not the Privacy Commissioner. Wouldn't you agree that the Privacy Commissioner is the appropriate office to set these standards, not private sector organizations?
Noon
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
I think you'll find no dispute that the Privacy Commissioner is the ultimate interpreter of the enforcement of the act.
As it relates to the techniques utilized for the purposes of anonymization, there are important voices to include, such as those of academics, who are party to some of what has been encouraged in this space, and those of Statistics Canada, Health Canada and the Public Health Agency of Canada. All of these contribute to the view that acceptable best practices can be established and upheld within this remit.
Noon
Conservative
Rick Perkins Conservative South Shore—St. Margarets, NS
Doesn't the Privacy Commissioner have the responsibility, though, to talk to all of those groups in developing the policies and guidelines?
Noon
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
The consultative obligations of the Privacy Commissioner are at the Privacy Commissioner's discretion.
Noon
Conservative
Rick Perkins Conservative South Shore—St. Margarets, NS
Again, my preference.... I guess this is where I'll leave it. I'll just restate that I'm not sure an organization like CANON—which is dominated by the big five banks, the big oligopolistic telephone companies, the insurance companies and the large data miners globally, like Microsoft—is the guide I want to see driving the policies of Canadian privacy law.
Thank you, Mr. Chair.
Noon
Liberal
The Chair Liberal Joël Lightbound
Thank you, Mr. Perkins.
I'm going to turn it over to Mr. Vis.
Before I do that, I just want to remind members, as we're discussing NDP-2, that if NDP-2 is adopted, G-2 cannot be moved because there is a line conflict. I highlighted that last time. I just want to make sure it's on everybody's mind.
Mr. Vis, the floor is yours.
Noon
Conservative
Brad Vis Conservative Mission—Matsqui—Fraser Canyon, BC
That's very helpful, Mr. Chair.
Building on this important discussion about widely acceptable standards, earlier today, Mr. Schaan mentioned that the best practices line, which has taken up the majority of the last hour, is included in Quebec's privacy law.
Is that correct, Mr. Schaan? Is that why the government is adopting that language?
Noon
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
That's not the sole origin, but it is noted that it is one of the benefits of accepting this language.
April 15th, 2024 / noon
Conservative
Brad Vis Conservative Mission—Matsqui—Fraser Canyon, BC
Thank you.
In clause 2, under the “Purpose and Application” section of the bill on page 8, it reads:
For greater certainty, this Act does not apply in respect of personal information that has been anonymized.
I think the debate we're having right now is one.... We heard from witnesses like Ms. Scassa, who talked about the almost impossibility of de-identifying data based on the best practices that exist out there, and how we can never be 100% sure. That was very clear. She outlined that the department seems to be very much on the side of some of those big corporations that want as much leeway as possible in the design of anonymization and de-identification to protect their corporate interests and business interests. That's fine. That's their objective, and I acknowledge that, regardless of whether or not I agree with it.
However, if we're making a comparison with the Quebec law, does the Quebec law exempt anonymized data from the scope and application of the bill?
More specifically, is there greater certainty in Quebec's law that would not apply in respect of personal information that has been anonymized? Is there something in Quebec's legislation like what we have on page 8?
12:05 p.m.
Senior Assistant Deputy Minister, Strategy and Innovation Policy Sector, Department of Industry
The Quebec law states that if it's anonymized by the definitions contained in the regulations, then it is out of the scope of their privacy law.
12:05 p.m.
Conservative
Brad Vis Conservative Mission—Matsqui—Fraser Canyon, BC
In Quebec's law, de-identified data does not apply in this—